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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 . 1 36(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1)^ Responsive to communication(s) filed on 15 January 2004 . 
2a)^ This action is FINAL. 2b)\Zl This action is non-final. 

3) 0 Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 15-28 and 31-35 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) 13 Claim(s) 29 and 30 is/are allowed. 

6) M Claim(s) 15-28 and 31-35 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10)^ The drawing(s) filed on 31 May 2000 is/are: a)S accepted or b)n objected to by the Examiner 
Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

11 )□ The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12)^ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 1 19(a)-(d) or (f). 
aM All b)n Some * c)^ None of: 

1.^ Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 



30 Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 

NORMAN ^ WRIGHT 

^„ ^ PRlMAR^SkAMINER 

Attachment(s) 

1) ^ Notice of References Cited (PTO-892) 4) Q Interview Summary (PTO-413) 

2) □ Notice of Draftsperson's Patent Drawing Review (PTO-948) Paper No(s)/Mail Date. . 

3) □ Information Disclosure Statement(s) {PTO-1449 or PTO/SB/08) 5) □ Notice of Informal Patent Application (PTO-152) 

Paper No(s)/Mail Date . 6) □ Other: . 



U.S. Patent and Trademark Office 
PTOL-326 (Rev. 1-04) 
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DETAILED ACTION 



1. 



Claims 15-28 & 31-35 are pending. 



2. 



Claims 29 & 30 are allowed. 



3. 



The amendment of 1/15/04 has been received and considered. 



Claim Rejections - 35 USC §103 



4. The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

5. Claims 15-18, 27, 28 & 32 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over the SKID protocol, described in Applied Cryptography, Second Edition , by Bruce Schneier, 
published 1996, in view of U.S. Patent 6,014,085 to Patel. 

Regarding claims 15, 27 & 28, in describing various authentication protocols, Schneier 
discloses Alice being a user/local machine and Bob being a host/server (see page 52, 1^^ 
paragraph and page 55, 1^^ paragraph). Schneier discloses creating a challenge/random number 
and communicating it along with elements known by the user/" A" to the server/"B" (see page 
55, step 1 and page 56, step 3). Schneier discloses performing a calculation/hash, obtaining a 
first response/RB,Hk(RA,RB3) and transmitting that response (see page 55, step 2) to the 
user/" A". Schneier discloses performing a second calculation/hash that is a function of 
predetermined data and comparing the results (see page 56, step 3). Schneier lacks the challenge 
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including information representing the type of challenge. However, Patel teaches that to avoid 
replay attacks in an authentication system, it is beneficial to use challenge codes representing 
different challenge types to determine authentication codes (see col. 5, lines 5-36). Therefore, it 
would have been obvious to one having ordinary skill in the art at the time the invention was 
made to include information indicating the type of challenge, in the protocol described by 
Schneier, to prevent impersonators from successfully realizing replay attacks (see col. 5, lines 5- 
36). 

Regarding claims 16, 17 & 18, Schneier discloses a hash being performed over the 
challenge/random number (see page 55, step 2 and page 55, step 3). 

Regarding claim 32, Schneier discloses a response/Hk(RA5RB3) composed of hashing a 
string composed of a fixed security key/K stored in the local machine/B and server/A, the name 
of the local machine/B (see page 55, step 2). 

6. Claim 35 is rejected under 35 U.S.C. 103(a) as being unpatentable over U.S. Patent 
6,161 ,1 85 to Guthrie et al. (Guthrie) in view of Patel. Guthrie discloses a user (Fig. 5, element 
1 14), local machine (Fig. 5, element 102) and remote server (Fig. 5, element 104), means for 
classifying information (Fig. 5, element 120) and communication means (Fig. 5, element 1 12 & 
118). Guthrie further discloses a system administrator (see col. 2, lines 42-47), a local machine 
comprising an authentication module that include a first user module (Fig. 5, element 126) for 
generating a challenge (Fig. 4, element 1 14) and second user module for generating a response 
(Fig. 5, element 130) and an administrative authentication module for authorizing access (Fig. 5, 
element 132). Guthrie lacks the challenge including information representing the type of 
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challenge. However, Patel teaches that to avoid replay attacks in an authentication system, it is 
beneficial to use challenge codes representing different challenge types to determine 
authentication codes (see col. 5, lines 5-36). Therefore, it would have been obvious to one 
having ordinary skill in the art at the time the invention was made to include information 
indicating the type of challenge, in the protocol described by Guthrie, to prevent impersonators 
from successfully realizing replay attacks (see col. 5, lines 5-36). 

7. Claims 19-23 & 31 are rejected under 35 U.S.C. 103(a) as being unpatentable over 
Schneier, as applied to claim 16, in further view of Patel. 

Regarding claims 19, 20 & 21, Schneier discloses the SKID protocol, as described above, 
but the protocol lacks sharing a secret value. However, Schneier teaches that "In general, a man- 
in-the-middle attack can defeat any protocol that doesn't involve a secret of some kind." 
Schneier further teaches that protocols that combine authentication with key exchange solve a 
general computer problem wherein different users want to commxmicate securely (see page 56, 
2"^* paragraph). Therefore, it would have been obvious to one having ordinary skill in the art at 
the time the invention was made to establish a secret key between the local machine and server 
to enable secure communication after authentication. One of ordinary skill in the art would have 
been motivated to perform such a modification to enable secure communication and to secure the 
transaction from the man-in-the-middle attack, as taught by Schneier. 

Regarding claim 22, Schneier discloses the SKID protocol, as described above, but lacks 
modifying a shared secret with a key that depends on the local machine. However, in a 
discussion of key-exchange protocols, Schneier discloses that public key cryptography makes 
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key exchange easier, in that a first party encrypts a secret with the public key of a second party. 
This allows only the second party access to the secret (see page 48). Therefore, it would have 
been obvious to one having ordinary skill in the art at the time the invention was made to modify 
the shared secret with a key that depends on the local machine to make key exchange easier. 
One of ordinary skill in the art would have been motivated to perform such a modification to 
make key exchange easier, as taught by Schneier. 

Regarding claim 23, Schneier discloses a byte string consisting of hashing a Master 
Station Secret/RA to obtain a Station Secret/Hk(RA,RB3) (see page 55, step 2). 

Regarding claim 31, Schneier discloses a response/Hk(RA5RB3) composed of hashing a 
string composed of a user's password/K, a Station Secret/RA and the user name/B (see page 55, 
step 2). 

8. Claims 24, 25 & 26 are rejected under 35 U.S.C. 103(a) as being impatentable over 
Schneier in view of Patel, as applied to claims 16, 17 & 18 above, in further view of U.S. Patent 
5,081,677 to Green et al. (Green). Schneier discloses an authentication protocol, as described 
above, but lacks a version number associated with a shared secret, and incremented when the 
shared secret is modified. However, Green teaches that, when updating a master key, it is useful 
to associate a version number with a the key and to increment the version number when the key 
is modified, to enable distributed copies of the key to be updated on first use and to modify the 
master key without exposing it to applications (see col. 2, lines 30-67 and col. 3, lines 5-35). 
Therefore, it would have been obvious to one having ordinary skill in the art at the time the 
invention was made to associate a version number v^th a shared secret and to increment the 
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version number when the secret is modified. One of ordinary skill in the art would have been 
motivated to perform such a modification to enable the shared secrets to be updated at different 
times (on first use) and to enable modification of the secret without exposing it, as taught by 
Green. 

9. Claim 33 is rejected under 35 U.S.C. 103(a) as being unpatentable over Schneier in view 
of Patel, as applied to claim 15 above, in view of U.S. Patent 5,774,650 to Chapman et al. 
(Chapman). Schneier discloses an authentication protocol, as described above, but lacks 
temporary authorization where the duration is configurable. Chapman teaches time-limited 
access to a system is beneficial to temporarily enable a privileged user to use the full 
performance capability of a system by temporarily denying access to less-privileged users (see 
col. 2, lines 38-61). Therefore, it would have been obvious to one having ordinary skill in the art 
at the time the invention was made to include a time-based authorization in Schneier' s system to 
enable a privileged user to access the full capabilities of the system. One of ordinary skill in the 
art would have been motivated to perform such a modification to gain the benefit of enabling a 
user to temporarily gain full access to a system's resources. 

10. Claim 34 is rejected under 35 U.S.C. 103(a) as being unpatentable over Schneier in view 
of Patel, as applied to claim 15 above, in view of Windows NT User Administration , by Ashley 
J. Meggitt & Timothy D. Ritchey (Meggitt). Schneier discloses an authentication protocol, as 
described above, but lacks specific disclosure of locally authenticating a user after disconnection. 
However, Meggitt teaches that Windows NT allows a user, normally authenticated through a 
domain, to login to a local workstation even if the roaming profile is unavailable. Therefore, it 
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would have been obvious to one having ordinary skill in the art at the time the invention was 
made to use the authentication protocol taught by Schneier to allow login to a local machine by a 
user, usually authenticated remotely, in the case that network connectivity has been disrupted. 
One of ordinary skill in the art would have been motivated to perform such a modification to 
gain the benefit of local system access even when remote authentication is unavailable, as taught 
by Meggitt. 

Allowable Subject Matter 

1 1 . Claims 29 & 30 are allowed. 

12. The following is a statement of reasons for the indication of allowable subject matter: 
Regarding claims 29 & 30, the prior art relied upon fails to specifically teach the 

limitation of a challenge composed of a first byte representing the type of challenge, the type of 
challenge indicating whether a network authentication has been performed; second and third 
bytes representing the version number of the shared information; and random alphanumeric 
characters of the fourth to twelfth bytes. 

Response to Amendment 

13. Independent claims 15 & 35, as amended, are unpatentable over Schneier in view of 
Patel, as described above. As stated in the previous office action, the prior art relied upon fails to 
specifically teach the (structural) limitation of a challenge composed of a first byte representing 
the type of challenge, the type of challenge indicating whether a network authentication has been 
performed; second and third bytes representing the version number of the shared information; 
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and random alphanumeric characters of the fourth to twelfth bytes. However, the prior art 
teaches the advantages of the broader "the challenge including information representing the type 
of challenge". 

Conclusion 

14. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS fi-om the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 . 1 36(a) will be calculated fi-om the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

15. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Michael J. Simitoski whose telephone number is (703)305-8191. 
The examiner can normally be reached on Monday - Thursday, 6:45 a.m. - 4: 15 p.m.. The 
examiner can also be reached on alternate Fridays from 6:45 a.m. - 3:15 p.m. 

If attempts to reach the examiner by telephone are unsuccessfiil, the examiner's 
supervisor, Gregory Morse can be reached on (703)308-4789. 
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Any response to this action should be mailed to: 

Commissioner of Patents and Trademarks 
Washington, DC 20231 
Or faxed to: 

(703)746-7239 (for formal communications intended for entry) 

Or: 

(703)746-7240 (for informal or draft communications, please label "PROPOSED" 
or "DRAFT") 

Hand-delivered responses should be brought to Crystal Park II, 2121 Crystal Drive, 
Arlington, VA 22202, Fourth Floor (Receptionist). 



Any inquiry of a general nature or relating to the status of this application or proceeding should 
be directed to the receptionist whose telephone number is (703) 305-9000. 



MJSt/' 
February 9, 2004 





